Montana's privacy law at a glance
- Signed into law on May 19, 2023, by Governor Greg Gianforte, Montana’s new privacy law, the Montana Consumer Data Privacy Act (MCDPA), will come into effect on October 1, 2024.
- With only a few months to go before enforcement begins, businesses who fall under the law’s scope should begin working towards compliance now.
- Keep reading to learn who’s subject to Montana’s privacy law, what the law requires of businesses under its scope, how the MCDPA differs from other state laws. You’ll find a 7 step compliance checklist at the end.
Who’s subject to Montana’s privacy law?
Montana’s privacy law applies to businesses conducting operations in Montana or targeting products or services to Montana residents. To meet the criteria, a business must either:
- Control or process the personal data of not less than 50,000 Montana residents, excluding data processed solely for payment transactions OR
- Control or process the personal data of not less than 25,000 Montana residents and derive more than 25 percent of their annual gross revenue from the sale of personal data.
This approach ensures that entities handling significant volumes of consumer data are subject to appropriate privacy obligations.
Key provisions and consumer rights
The MCDPA grants Montana residents new rights concerning their personal data, including:
- The right to confirm whether a business is processing their data
- The right to access the personal data a business holds on them
- The right to correct inaccurate personal data
- The right to request deletion of personal data
- The right to obtain a copy of their personal data (data portability)
- The right to opt out of processing for targeted advertising, the sale of personal data, or certain types of profiling
Businesses must respond to consumer requests within 45 days, with a possible extension of 45 days for complex requests. Moreover, consumers have the right to appeal a business’s decision, with businesses required to respond to appeals within 60 days.
Compliance requirements under Montana’s privacy law
Montana’s privacy law places significant obligations on businesses under its scope, including:
- Fulfilling consumer requests for access, deletion, correction, and more
- Limiting the collection of personal data to what is adequate and necessary
- Implementing reasonable data security practices
- Processing sensitive data only with consumer consent
- Providing clear and accessible privacy notices
- Disclosing data sales and targeted advertising activities
- Recognizing universal opt-out mechanisms by January 1, 2025
Furthermore, controllers must conduct data protection impact assessments for processing activities presenting a heightened risk of harm to consumers.
How Montana’s privacy law compares to other state privacy laws
Montana's new Consumer Data Privacy Act (MCDPA) stands out from other state privacy laws in a few key ways.
Lower applicability threshold
The MCDPA applies to companies handling personal data of at least 50,000 Montana consumers, or 25,000 if they make over 25% of their revenue from data sales. This threshold is lower compared to other states due to Montana's smaller population.
Broad definition of data sales
Similar to California and Connecticut, the MCDPA defines "sale" of personal data broadly, including transfers for any valuable consideration, not just monetary exchanges. This widens the range of activities subject to opt-out rights.
Consumer rights
Consumers under the MCDPA have rights like revoking consent, requesting data deletion even for indirectly collected data, and opting out of data sales and targeted ads without authentication. Montana is only the second state, after Connecticut, to allow consent revocation.
Universal opt-out mechanism
Starting in 2025, the MCDPA requires companies to recognize universal opt-out mechanisms from browsers/devices for data sales and targeted ads, similar to Connecticut's privacy law.
Enforcement
Enforcement for Montana’s privacy law falls under the purview of the Montana Attorney General's Office, with exclusive authority granted to initiate actions against violators. Upon receiving notice of violation, businesses will have a 60-day cure period to address the issues laid out by the Attorney General’s office.
But it's important to note that the cure period expires on April 1, 2026, so businesses should not rely on this grace period to avoid penalties.
Montana privacy law compliance checklist
- Determine if the MCDPA applies to your business: Begin by scrutinizing your company's data handling practices to see if they fall under the MCDPA’s scope. If they do, it’s time to start working towards compliance.
- Complete a data inventory: Develop a comprehensive data inventory of all the personal data your business collects, processes, and stores. Make sure to include information about the categories of personal data gathered, processed, and retained, along with the rationale and legal basis for each processing activity. A meticulous data inventory is foundational to an effective gap analysis and gauging compliance risks.
- Establish mechanisms for fulfilling privacy requests: Montana’s privacy law requires that businesses respond to consumer requests for access, correction, erasure, transfer, and more. So it’s crucial that your business establishes a way to not only field and track these requests, but also to fulfill them in a timely manner. A next-generation privacy solution like Transcend DSR Automation can streamline this workflow, minimizing manual work for your teams.
- Implement a consent management mechanism: Compliant consent management requires collecting and enforcing consumers’ consent preferences across all digital touchpoints, from websites, to backend databases, to mobile applications. Implementing a full-stack consent solution like Transcend Consent Management is a simple way to ensure compliance with the MCDPA’s consent requirements.
- Conduct data protection assessments (DPAs): Montana's privacy law requires that businesses conduct data protection assessments before undertaking high-risk processing activities like personal data sale, automated profiling, or targeted advertising. Leveraging collaborative tools like Transcend Assessments can empower your teams with a unified perspective to proactively manage data processing risks.
- Publish clear privacy notices: Craft transparent and succinct privacy notices explaining your data processing practices, including the purposes of collection, personal data categories processed, and consumer rights as provided by the law. Make sure these notices are easy to access, read, and understand.
- Honor universal opt-out mechanisms: Prepare to acknowledge and respect universal opt-out mechanisms by January 1, 2025, including those pertaining to targeted advertising, data sales, and profiling.
Conclusion
Montana's Consumer Data Privacy Act represents a significant step towards enhancing consumer privacy rights and holding businesses accountable for responsible data handling practices.
Businesses operating in Montana must prioritize compliance with the MCDPA, leveraging next-generation privacy solutions like Transcend to navigate the evolving landscape of data protection laws effectively.
About Transcend
Transcend is a next-generation platform privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for new legislation like Montana's data privacy law.
From Consent Management, to automated DSR Automation, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, Unstructured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.